AWSTemplateFormatVersion: 2010-09-09
Description: CloudFormation to update DynamoDB with new CIDRs
Parameters:
  KMSKeyArn:
    Description: 'The arn of the ASEA installer KMS key. Used to access the CIDR Pool DDB table'
    Type: 'String'
Resources:
  CIDRS3Bucket:
    Type: AWS::S3::Bucket
    DeletionPolicy: Delete
    Properties:
      BucketName: !Sub 'ddb-cidr-${AWS::AccountId}'
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: 'AES256'
      NotificationConfiguration:
        LambdaConfigurations:
          - Event: 's3:ObjectCreated:*'
            Function: !GetAtt CIDRLambda.Arn
      VersioningConfiguration:
        Status: Enabled
  CIDRBucketInvoke:
    Type: AWS::Lambda::Permission
    Properties:
      Action: 'lambda:InvokeFunction'
      FunctionName: !GetAtt CIDRLambda.Arn
      Principal: 's3.amazonaws.com'
      SourceAccount: !Ref 'AWS::AccountId'
      SourceArn: !Sub 'arn:aws:s3:::ddb-cidr-${AWS::AccountId}'
  CIDRLambda:
    Type: AWS::Lambda::Function
    Properties:
      Code:
        ZipFile: |
          import json
          import boto3
          import os
          s3_client = boto3.client('s3')
          ddb = boto3.resource('dynamodb')
          ddb_client = boto3.client('dynamodb')
          def handler(event, context):
            # Define variables
            bucket_name = event['Records'][0]['s3']['bucket']['name']
            file_name = event['Records'][0]['s3']['object']['key']
            try:
              # Get CIDR allocation file from S3
              s3_response = s3_client.get_object(Bucket=bucket_name, Key=file_name)
              # Get CIDR list from S3
              file_content = json.loads(s3_response["Body"].read().decode("utf-8"))
              cidr_list = file_content["cidr-pools"]
              # Get DynamoDB table name (ends in cidr-pool)
              ddb_tables = (ddb_client.list_tables())['TableNames']
              ddb_table = [table for table in ddb_tables if 'cidr-pool' in table][0]
              # Initialise DynamoDB table resource for the table
              table = ddb.Table(ddb_table)
              # Write CIDRs to the DynamoDB table
              for i, cidr in enumerate(cidr_list):
                cidr['id'] = str(i+1)
                ddb_response = table.put_item(
                Item=cidr
                )
              print('DynamoDB was successfully updated with the CIDR ranges')
            except Exception as e:
              print(e)
      Description: Lambda to update CIDR ranges in DynamoDB
      Handler: index.handler
      MemorySize: 128
      Role: !GetAtt CIDRLambdaRole.Arn
      Runtime: python3.9
      Timeout: 60
  CIDRLambdaRole:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service: 'lambda.amazonaws.com'
            Action:
              - 'sts:AssumeRole'
      Path: '/'
      ManagedPolicyArns:
        - 'arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole'
      Policies:
        - PolicyName: RestrictedPermissions
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Sid: Policy0
                Effect: Allow
                Action:
                  - s3:GetObject
                  - dynamodb:PutItem
                  - kms:Decrypt
                Resource:
                  - !Sub 'arn:aws:s3:::ddb-cidr-${AWS::AccountId}/cidr-update-list.json'
                  - !Sub 'arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/*'
                  - !Ref KMSKeyArn
        - PolicyName: UnrestrictedPermissions
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Sid: Policy1
                Effect: Allow
                Action:
                  - dynamodb:ListTables
                Resource:
                  - '*'
Outputs:
  S3BucketName:
    Description: S3 Bucket for uploading CIDR list
    Value: !Ref CIDRS3Bucket